Symantec CEO Refuses Russian Source Code Review

Cybersecurity firm Symantec is putting the kibosh on its former practice of allowing governments to review the source code of its software. According to Symantec Chief Executive Greg Clark, allowing such inspections runs a high risk of the security of its products being compromised.

The move comes as tech firms worldwide have been under intense pressure from the Russian government to hand over access to their source codes — in return for approval to sell goods in Russia. Symantec once allowed for said reviews, but Clark says the firm now believes such inspections open the firm up to increased security threats and that the risk of losing customer confidence by allowing reviews was not worth the sales the firm could net in Russia.

Symantec changed its policy over the summer — Clark’s conversation with Reuters on the subject is the first official explanation Symantec has offered as to why.

Clark noted they will still sell their goods in any country that wants them.

“That is a different thing than saying, ‘Okay, we’re going to let people crack it open and grind all the way through it and see how it all works. These are secrets, or things necessary to defend (software),” Clark said of source code. “It’s best kept that way.”

Symantec has a relatively small Russian footprint — meaning the choice was easier for Symantec than some of their rivals, who are more deeply embedded.

“We’re in a great place that says, ‘You know what, we don’t see a lot of product over there,’” Greg Clark said. “We don’t have to say yes.”

Western cybersecurity experts more or less applauded Symantec’s choice to throw off the recent tradition.

“They took a stand, and they put security over sales,” said Frank Cilluffo, director of the Center for Cyber & Homeland Security at George Washington University and a former senior homeland security official to former President George W. Bush. “Obviously, source code could be used in ways that are inimical to our national interest. They took a principled stand, and that’s the right decision and a courageous one.”

Earlier this year, Beijing put in place a new cybersecurity law that foreign business groups have warned could adversely impact trade because of its data surveillance and storage requirements.

Clark said Symantec thus far has not gotten any requests to review source code from Beijing — but he did note they will get the same answer Russian has.

“We just have taken a policy decision to say, ‘Any foreign government that wants to read our source code, the answer is no,’” Clark said.